Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 23, 2023, 3:20 p.m.	March 23, 2023, 3:22 p.m.

Size	9.5MB
Type	RAR archive data, flags: EncryptedBlockHeader
MD5	`37262ca3a1d563877f4324ee75b6facb`
SHA256	`14e911936266e9a1ef7d9368301a8d2cfcd1ed5d7876a01dac4f3f369f320797`
CRC32	`8F5C384D`
ssdeep	`196608:XWFSNRJkE2vO9wEW1P22lDIiVBsMuX4yWNHva5tg8V1WykHvx7WZ645gEg:X7NQp29wEiRDiMw4yWNHvetg8V1WykPp`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "NkbnCk" C:\Users\test22\AppData\Local\Temp\Pass_1234_Setup.rar
2996
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\Pass_1234_Setup.rar"
  944

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.181.10.208	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49199 -> 185.181.10.208:80	2036934	ET MALWARE Win32/RecordBreaker CnC Checkin M1	A Network Trojan was detected
TCP 185.181.10.208:80 -> 192.168.56.102:49199	2036955	ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response	A Network Trojan was detected
TCP 192.168.56.102:49199 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 185.181.10.208:80	2036934	ET MALWARE Win32/RecordBreaker CnC Checkin M1	A Network Trojan was detected
TCP 185.181.10.208:80 -> 192.168.56.102:49199	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.181.10.208:80 -> 192.168.56.102:49193	2036955	ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response	A Network Trojan was detected
TCP 192.168.56.102:49193 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 185.181.10.208:80 -> 192.168.56.102:49193	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49199 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49199 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49199 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49199 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49199 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49199 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 185.181.10.208:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 185.181.10.208:80	2036884	ET HUNTING Possible Generic Stealer Sending System Information	Misc activity
TCP 192.168.56.102:49199 -> 185.181.10.208:80	2036884	ET HUNTING Possible Generic Stealer Sending System Information	Misc activity

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 23, 2023, 3:20 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 23, 2023, 3:20 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://185.181.10.208/
suspicious_features	Connection to IP address	suspicious_request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://185.181.10.208/26556a0c2e4bbf69b06c173ce1681609
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://185.181.10.208/8e0966e25decf295f67dfe9904e292d5

Performs some HTTP requests (10 events)

request	POST http://185.181.10.208/
request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
request	GET http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
request	POST http://185.181.10.208/26556a0c2e4bbf69b06c173ce1681609
request	POST http://185.181.10.208/8e0966e25decf295f67dfe9904e292d5

Sends data using the HTTP POST Method (3 events)

request	POST http://185.181.10.208/
request	POST http://185.181.10.208/26556a0c2e4bbf69b06c173ce1681609
request	POST http://185.181.10.208/8e0966e25decf295f67dfe9904e292d5

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 23, 2023, 3:20 p.m.	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74012000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 23, 2023, 3:20 p.m.	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73913000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (29 events)

file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\threatmodels\index.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\tests\specs\shell_spec.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\services\electron.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\tests\specs\desktopreport_spec.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\welcome\index.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\installer-osx.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\tests\specs\welcome_spec.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\services\threatmodellocator.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\layout\index.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\main.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\tests\specs\datacontextdemo_spec.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\app.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\config.route.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\config.autoupdate.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\services\index.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\services\datacontextdemo.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\tests\specs\threatmodellocator_spec.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\Setup_win32_64.exe
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\threatmodels\desktopreport.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\config\squirrel.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\installer-lin.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\karma.conf.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\tests\specs\datacontext_spec.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\config.exceptionHandler.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\tests\specs\test.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\layout\shell.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\installer-win.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\services\datacontext.js
file	C:\Users\test22\AppData\Local\Temp\7zE0B329E4D\.local\.threat_dragon\app\welcome\welcome.js

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 23, 2023, 3:20 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW March 23, 2023, 3:20 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

185.181.10.208

Pass_1234_Setup.rar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All